SCCM HTTPS Setup Guide for MP DP SUP Site Systems

SCCM HTTPS Setup Guide for MP DP SUP Site Systems in co-management and ConfigMgr HTTP-only Client Communication Is Going Out Of Support context.

Learn how to set up HTTPS communication for SCCM DP, MP, and SUPs once you have completed the PKI certificate pre-requisite and are ready to configure SCCM MP and SUP site systems components to use SSL/HTTPS. 

This post explains HTTPS MP and HTTPS SUP configurations via video tutorial and step-by-step instructions. It describes all these configurations using SCCM 1802 production version infrastructure.

Let’s understand HTTPS and whether or not HTTPS communications between the SCCM server and client are secured.

Patch My PC

Video Tutorial to Setup HTTPS/SSL MP and SUP Site System Server

A quick video tutorial on setting up HTTPS/SSL MP and SUP Site System Server.

SCCM HTTPS Setup Guide for MP DP SUP Site Systems – Video 1

Basics of HTTPS

SCCM HTTPS Setup Guide for MP DP SUP Site Systems starts with an excellent HTTPS communication diagram produced by Alex Xu. He has explained HTTPS communication simplistically.

Adaptiva

How is the Data Encrypted and Decrypted?

Step 1 – The client (browser) and the server establish a TCP connection.

Step 2 – The client sends a “client hello” to the server. The message contains a set of necessary encryption algorithms (cipher suites) and the latest TLS version it can support. The server responds with a “server hello” so the browser knows whether it can help the algorithms and TLS version.

The server then sends the SSL certificate to the client. The certificate contains the public key, hostname, expiry dates, etc. The client validates the certificate. 

Step 3 – After validating the SSL certificate, the client generates a session key and encrypts it using the public key. The server receives the encrypted session key and decrypts it with the private key. 

Step 4 -Now that the client and the server hold the same session key (symmetric encryption), the encrypted data is transmitted in a secure bidirectional channel.

Why does HTTPS switch to symmetric encryption during data transmission? There are two main reasons:

  1. Security: Asymmetric encryption has only one way. If the server tries to send the encrypted data back to the client, anyone can decrypt it using the public key.
  2. Server resources: Asymmetric encryption adds a lot of mathematical overhead. It is not suitable for data transmissions in long sessions.

    Over to you: how much performance overhead does HTTPS add compared to HTTP?

    SCCM HTTPS Setup Guide for MP DP SUP Site Systems -Fig.1  Pic Credit to Alex Xu)
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems -Fig.1 Pic Credit to Alex Xu)

    How to Setup HTTPS MP DP – How to make MP communication via SSL channel?

    The configuration of the management point (MP) and DP has two parts. The first part should be done from the SCCM CB console.

    The second part of the configuration should be done from the Management Point server IIS console. I have shown these two options in this video tutorial

    HTTPS MP is one of the requirements for co-management with the SCCM 1802 version.

    SCCM MP/DP HTTPS Configuration

    A management point provides policy and content location information to clients and receives configuration data from them. This section is an HTTPS MP configuration from the SCCM Cb 1802 console.

    • Open SCCM console –> Administration Workspace –> Site Configuration –> Servers and Site System Roles
    • Select the Management Point (MP) server Right. Click on MP Role, and Click Properties
    • Select HTTPS from the client connections section under the GENERAL tab of the MP site system properties windows. This will reinstall the MP component.
    • CHOOSE “Allow Configuration Manager Cloud Management Gateway traffic.
      Microsoft is constantly improving the designs of Client—CMG—MP communication. Hence, I recommend reading the latest Microsoft documentation if you are unsure whether this is a suitable option for you.
    • CHOOSE to allow mobile devices and Mac computers to use the management point (when required). Click OK to close the window.

    IIS Configurations – SCCM MP HTTPS Configuration

    Let’s see IIS Configurations—SCCM MP/DP/SUP HTTPS Configuration. Log in to the Management Point (MP) server for IIS configurations. This section explains the HTTPS MP configuration from the IIS console side.

    • Make sure you have successfully enrolled the web certificate to that MP server.
    • Open Internet Information Services (IIS) Manager. Expand Sites – select your MP website (usually ‘Default Web Site‘) and select Bindings3. Select the HTTPS entry and Edit
    • Select the new Web cert, click OK, and Close
    • Test the HTTPS/SSL connectivity by browsing your MP website using the FQDN and HTTPS with no certificate errors.
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems - Fig.2
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems – Fig.2

    How to Configure Setup Software Update Point (SUP) to use SSL/HTTPS

    There are two parts to Software Update Point (SUP) configuration. The first part of the configuration should be done from the SCCM CB console. The second part of the configuration should be done from the SUP server IIS console.

    SCCM CB Console Actions

    A software update point(SUP) integrates with WSUS to provide software updates to SCCM clients. For SCCM to use a software update point that is not installed on the site server, you must first install the WSUS admin console on the site server. I prefer to use Windows Update for Business for software updates or patching.

    • Open SCCM console –> Administration Workspace –> Site Configuration –> Servers and Site System Roles
    • Select the Software Update Point (SUP) server Right. Click on MP Role, and Click Properties
    • The ports should already be listed
                            WSUS Configuration details are given below:-
                            Port Number: 8530
                            SSL port Number: 8531
    • Click Require SSL communication to the WSUS server
    • Click Allow Configuration Manager cloud management gateway traffic
    • Choose “Allow Internet and intranet client connections” from the Client Connection Type section. This option will automatically get selected when selecting “Allow Configuration Manager cloud management gateway traffic.” Click OK to close the window.
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems - Fig.3
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems – Fig.3

    SUP Server IIS Console

    Log in to the Software Update Point (SUP) server for IIS configurations. This section explains the HTTPS SUP configuration from the IIS console side. To configure SSL on the WSUS server by using IIS 7.0

    • On the WSUS server, open the Internet Information Services (IIS) Manager.
      Expand Sites, and then expand the Web site for the WSUS server WSUS Administration.
    • Perform the following steps on the virtual directories under the WSUS Website WSUS Administration.
      • APIRemoting30
      • ClientWebService
      • DSSAuthWebService
      • ServerSyncWebService
      • SimpleAuthWebService
    • In Features View, double-click SSL Settings.
      On the SSL Settings page, select the Require SSL checkbox. Ensure that Client certificates are set to Ignore.
      In the Actions pane, click Apply.
      Close Internet Information Services (IIS) Manager.
    • Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the SUP site system server>
      Restart the IIS services or Click the ok Recycle button from the IIS console
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems - Fig.4
    SCCM HTTPS Setup Guide for MP DP SUP Site Systems – Fig.4

    Bonus Video – How to Setup PKI for SCCM CB Lab

    SCCM HTTPS Setup Guide for MP DP SUP Site Systems – Video 2
    Overview Windows 10 Co-Management with Intune and SCCM 
    Custom Report to Identify Machines Connected via SCCM CMG  
    How to Setup Co-Management - Introduction - Prerequisites Part 1 
    How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
    Setup Co-Management - AAD Connect UPN Suffix Part 3 
    Setup Co-Management - CA PKI & Certificates Part 4 
    Setup Co-Management Cloud DP Azure Blob Storage Part 5 
    Setup Co-Management Azure Cloud Services CMG Part 6 (This Post)
    

    Resources

    • For more information, see Enable Management Point for HTTPS.
    • https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_webserver42008

    We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

    Author

    Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

    7 thoughts on “SCCM HTTPS Setup Guide for MP DP SUP Site Systems”

    1. Just for clarification. The check box “Require SSL communication to the WSUS server” has nothing to do with the client communication to the SUP…right? This check box merely causes the traffic/communication between the SUP and WSUS to be SSL.

      Reply
    2. I checked the HTTPS box like you show in the video and it instantly broke all my imaging. Nothing could communicate. If there are prerequisites you could at least mention them if not go a step further and place a link on how to set them up.

      Reply
    3. yes, do not simply check HTTPS, there are multiple pre-req required before you do that, Like certificate creation, push them on clients, install them, and so on.

      Reply
    4. is it possible to apply HTTPS when we have multiple AD Domains in different forests? multiple adquisitions with an AD each of it.

      Reply

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.